top ten reasons why developers don’t adopt abac
DESCRIPTION
We’ve all heard excuses for why application developers resist adopting externalized authorization and ABAC approaches, it is sometimes a lot like listening to a teenager trying to explain away their latest transgression. At Axiomatics, we’ve also heard many excuses over the years and they can range from legitimate to debatable. In this session, Gerry Gebel will review our Top Ten reasons for not adopting ABAC plus a rebuttal for each.TRANSCRIPT
![Page 1: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/1.jpg)
Top Ten Reasons Why Developers Don’t Adopt ABAC
IRM Summit – Phoenix – June 2014
Gerry Gebel Axiomatics [email protected] @ggebel
© 2014 Axiomatics AB 1
![Page 2: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/2.jpg)
© 2014 Axiomatics AB 2
IRM Summit 2014
![Page 3: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/3.jpg)
Agenda
§ Business trends and ABAC
§ Top Ten List
IRM Summit
© 2014 Axiomatics AB 3
![Page 4: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/4.jpg)
Business Trends & ABAC
IRM Summit
© 2014 Axiomatics AB 4
![Page 5: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/5.jpg)
What is Attribute Based Access Control (ABAC)? § A mode of externalized authorization
§ Authorization policies/rules are managed in a centralized service (deployment can be centralized/distributed/hybrid)
§ The Extensible Access Control Markup Language (XACML) is an example of an ABAC system
§ Policies utilize attributes to describe specific access rules, which is why it is called attribute based access control
© 2014 Axiomatics AB 5
![Page 6: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/6.jpg)
Collaboration …depends on efficient information sharing… … which depends on precision in access controls…
Business challenge
![Page 7: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/7.jpg)
Speed in business transactions …depends on efficient delegation of powers… … while losses due to fraud or excessive risk taking are minimized…
Business challenge
![Page 8: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/8.jpg)
Regulatory compliance …depends on efficient IT governance … …which in turn depends on correct and verifiable authorizations …
Business challenge
![Page 9: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/9.jpg)
Protecting credit card numbers, financial data, accounts, etc.
© 2014 Axiomatics AB 9
The data protection problem
![Page 10: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/10.jpg)
Information storage – global increase
© 2014 Axiomatics AB 10
The data protection problem
Based on: Hilbert and Lopez, 2011
86 87 88 89 90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07
300
250
200
150
100
50
0
~93% digital
~0,7% digital
DAC
MAC
RBAC
ABAC Increasing access control challenges
![Page 11: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/11.jpg)
Legacy access control Attribute based access control
© 2014 Axiomatics AB 11
Legacy access controls fail in dynamic environments
![Page 12: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/12.jpg)
Policy example – expanded from NIST* report § Nurse Practitioners can View the Records of Patients in the same
Department they are assigned to during shift hours
§ This rule can apply to all departments in the hospital § Add a new department or change names of department and the rule does not change § Rule compares department of the Nurse Practitioner to the department of the Patient
© 2014 Axiomatics AB 12
Subject attributes Action attributes Resource attributes Environment * nvlpubs.nist.gov/nistpubs/specialpublications/NIST.sp.800-162.pdf
![Page 13: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/13.jpg)
Top Ten List
IRM Summit
© 2014 Axiomatics AB 13
![Page 14: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/14.jpg)
ABAC Degree of Difficulty
© 2014 Axiomatics AB 14
aka, ADD
![Page 15: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/15.jpg)
1. “It will impact performance”
© 2014 Axiomatics AB 15
![Page 16: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/16.jpg)
Response #1 § There are many ways to scale or configure for maximum performance § Utilize caching of policies, attributes and decisions § Employ faster communication protocols, like Apache Thrift § Place the decision engine closer to the application it’s protecting § Embed the decision engine within the application to eliminate network hops § Use smart policy modeling to make evaluations more efficient
§ ABAC systems are proven in very large deployments § 200+ million users § 20,000 access requests per second § Your ABAC system should have many modes of operation to address many scenarios
© 2014 Axiomatics AB 16
![Page 17: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/17.jpg)
2. “I don’t like XML”
© 2014 Axiomatics AB 17
![Page 18: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/18.jpg)
Response #2 § Fine, don’t use it… try JSON instead
§ Go from this:
© 2014 Axiomatics AB 18
<xacml-ctx:Request ReturnPolicyIdList="true" CombinedDecision="false" xmlns:xacml-ctx="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Alice</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" > </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">hello</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> <xacml-ctx:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" > <xacml-ctx:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="true"> <xacml-ctx:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">say</xacml-ctx:AttributeValue> </xacml-ctx:Attribute> </xacml-ctx:Attributes> </xacml-ctx:Request>
![Page 19: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/19.jpg)
Response #2 § To this:
© 2014 Axiomatics AB 19
{"subject": {"attribute":[{ "attributeId":"username", "value":"alice"}]},
"resource": {"attribute":[{ "attributeId":"resource-id", "value":"hello"}]},
"action": {"attribute":[{ "attributeId":"action-id", "value":"say"}]}} 0
200 400 600 800
1000 1200 1400
Char. Count
XML JSON
![Page 20: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/20.jpg)
3. “It makes the system more complex”
© 2014 Axiomatics AB 20
![Page 21: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/21.jpg)
Response #3 § So you prefer to pollute your application code
with security stuff?
§ There are trade-offs to consider when outsourcing functions to an external service
§ For the developer, the interface is very simple § Send a package of attributes to AuthZ service § Process the Permit/Deny response
© 2014 Axiomatics AB 21
REST
![Page 22: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/22.jpg)
4. “I can do it faster myself”
© 2014 Axiomatics AB 22
![Page 23: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/23.jpg)
Response #4 § IT lead time to set up authorization service can be time consuming § If you heavy weight processes for setting up new hardware, VM images, etc.
§ One time pain generates many returns for future projects § But few want to be the first mover
§ Option: bundle the authorization service with your application § Less reliance on IT services § All the necessary components are packaged with the application
© 2014 Axiomatics AB 23
![Page 24: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/24.jpg)
5. “I don’t care about enterprise issues”
© 2014 Axiomatics AB 24
,
![Page 25: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/25.jpg)
Response #5 § What are the results of this bad attitude? § IT has to provision accounts and identity data to every application built this way (which
launched the comma into IAM legend status) § Legions of application managers now hate you because they have to manually review
stacks of permissions and roles from your app and everyone else that built apps the same way
§ Congratulations, we now have 500 applications and 50,000 roles
© 2014 Axiomatics AB 25
![Page 26: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/26.jpg)
6. “My code is more flexible”
© 2014 Axiomatics AB 26
![Page 27: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/27.jpg)
Response #6 § You may be right, for a particular use case
§ But § How long did it take to code? § Is it adaptable to the next scenario? § How much effort is required to maintain your code?
© 2014 Axiomatics AB 27
![Page 28: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/28.jpg)
7. “I don’t know where the attributes are”
© 2014 Axiomatics AB 28
![Page 29: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/29.jpg)
Response #7 § No need to concern yourself § Just send the attributes available in the user session
§ Subject identifier § Resource identifier § Action
§ Role or group info § Device type
§ Authentication type § Etc.
§ The authorization service handles the rest, looking up additional attributes if necessary
© 2014 Axiomatics AB 29
![Page 30: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/30.jpg)
8. “What if the external service fails?”
© 2014 Axiomatics AB 30
![Page 31: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/31.jpg)
Response #8 § Practice good hygiene § Eliminate single points of failure § Understand failure modes and document processes for recovery § Implement change control processes, which permits roll back to known state
§ But these are tasks for the IT department, and it’s their specialty
© 2014 Axiomatics AB 31
![Page 32: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/32.jpg)
9. “Who will manage the policies, me?”
© 2014 Axiomatics AB 32
![Page 33: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/33.jpg)
Response #9 § If you insist, yes § Policies are easily created using ALFA shorthand syntax
§ Similar to C# or Java § Plug in for Eclipse § Submitted to OASIS for standardization
§ Or you can rely on business owner, security office or system administrators to create and manage access policies § It’s another item off your plate
© 2014 Axiomatics AB 33
![Page 34: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/34.jpg)
10. “Isn’t ABAC just a new fad?”
© 2014 Axiomatics AB 34
Like, say, sock shots at conferences…
![Page 35: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/35.jpg)
Response #10: The ABAC trend
35
2005 XACML version 2.0: Concept production-ready for enterprise needs.
2009 US Federal CIO Council – (FICAM) Roadmap and Implementation Plan v1.0 advocates ABAC
2006 Axiomatics founded. First project: a nation- wide eHealth service.
2011 FICAM v2.0: ABAC recommended access control model for promoting information sharing between diverse and disparate organizations.
2013 XACML version 3.0
2014 NIST Guide on ABAC
2014 Gartner predicts: ”By 2020, 70% of all businesses will use ABAC as the dominant mechanism to protect critical assets, up from 5% today.”
ABAC = Attribute Based Access Control
© 2014 Axiomatics AB
![Page 36: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/36.jpg)
Wrapping up
© 2014 Axiomatics AB 36
![Page 37: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/37.jpg)
Summary § Touched on some issues of why developers resist ABAC
§ There are others….
§ Hopefully you’ve learned some ways to deal with objections
© 2014 Axiomatics AB 37
IRM Summit 2014
![Page 38: Top Ten Reasons Why Developers Don’t Adopt ABAC](https://reader033.vdocuments.net/reader033/viewer/2022052619/5564c5d3d8b42a7e178b5537/html5/thumbnails/38.jpg)
Questions? Thank you for listening